Zero-Click Flaws Discovered in UPS Devices
The ‘TLStorm’ Vulnerabilities Could Allow Attackers to Cause Both Cyber and Physical Damage by Affecting Critical Infrastructure.
An uninterruptible power supply (UPS), sometimes known as an uninterruptible power source (UPS), is a piece of electrical equipment that supplies emergency power to a load when the input power source or mains power fails. Uninterruptible power supply systems are distinct from auxiliary or emergency power systems and backup generators in that they will offer near-immediate power protection against input power disruptions by delivering energy stored in batteries, supercapacitors, and/or flywheels.
Even though most uninterruptible power sources have a limited on-battery run-time (as little as a few minutes), they are powerful enough to activate a standby power source or appropriately shut down the protected equipment.
Researchers from Armis have discovered three critical security vulnerabilities in widely used smart uninterruptible power supply (UPS) devices that could allow for remote takeover, resulting in business disruptions, data loss, and even physical damage to critical infrastructure on the part of malicious actors.
The vulnerabilities, which have been nicknamed TLStorm were identified in APC Smart-UPS units, which are deployed in about 20 million locations across the globe. APC is a subsidiary of Schneider Electric, which is one of the world’s largest manufacturers of uninterruptible power supplies (UPS).
Armis has discovered a set of three critical zero-day vulnerabilities in APC Smart-UPS devices that can allow remote attackers to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets. Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets and can be found in data centers, industrial facilities, hospitals and more.
When vulnerabilities are exploited, there is a significant chance of broad disruption and destruction in both the cyber and physical worlds. If the vulnerabilities are exploited, the consequences might be felt on a worldwide scale.
The journalists from ThreatPost reported that, by using TLStorm, attackers might remotely take control of devices and use them to penetrate a company’s internal network in order to steal sensitive data from the network. Furthermore, by cutting power to mission-critical equipment or services, attackers have the potential to inflict physical harm or even impede company operations.
Researchers warn that because the latest APC Smart-UPS models are controlled through a cloud connection, a bad actor who successfully exploits TLStorm vulnerabilities could remotely take over devices from the internet without requiring any interaction from the user or the user being aware of what was happening.
Furthermore, an attacker may take advantage of the weaknesses to acquire code execution on a device, which could then be used to modify the functioning of the UPS, causing physical harm to the device or other assets linked to it, according to the researchers.
Two of the vulnerabilities are related to incorrect error handling of Transport Layer Security (the “TLS” of TLStorm) in the TLS connection between the UPS and the Schneider Electric cloud, according to the researchers. TLS (Transport Layer Security) is a widely used security technology that is intended to improve the privacy and security of internet connections.
Two of the vulnerabilities involve the TLS connection between the UPS and the Schneider Electric cloud. Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost.
The three vulnerabilities discovered are:
CVE-2022-22806 – TLS authentication bypass: able to create confusion in the TLS handshake and lead to authentication bypass.
CVE-2022-0715 – Unsigned firmware upgrade that can be updated over the network (RCE).